Are you a user of China's state-owned China Telecom Chinanet network?
For a short time yesterday, it appeared that Facebook traffic might be written on the Great Wall, not just users' individual ones.
For about 30 minutes Tuesday morning, when customers of AT&T's Internet services browsed Facebook, that traffic went not by the most direct route, but through servers in China and South Korea, according to independent security researcher Barrett Lyon.
Normally AT&T would have handed off packets representing content requests, session IDs and other data – most of which travels unencrypted to and from Facebook – to Level3 Communications, which would hand them off to Facebook servers.
Instead they went the long way, through subnetworks owned by China Telecommunications, the state-owned ISP of mainland China, then to SK Broadband, a commercial ISP in South Korea, before finding their way to Facebook.
Here's the route, according to Lyon:This morning’s route to Facebook from AT&T:
route-server>show ip bgp 22.214.171.124 (Facebook's www IP address) BGP routing table entry for 126.96.36.199/20, version 32605349 Paths: (18 available, best #6, table Default-IP-Routing-Table) Not advertised to any peer 7018 4134 9318 32934 32934 32934
The AS path (routing path) translates to this:
- AT&T (AS7018)
- Chinanet (Data in China AS4134)
- SK Broadband (Data in South Korea AS9318)
- Facebook (Data back to US 32934)
Current route to Facebook via AT&T:
route-server>sho ip bgp 188.8.131.52/20 BGP routing table entry for 184.108.40.206/20, version 32743195 Paths: (18 available, best #6, table Default-IP-Routing-Table) Not advertised to any peer 7018 3356 32934 32934, (received & used)
Lyon theorizes the odd routing might have been an error within the BGP routing tables that tell Internet backbone routers where to send traffic.
Twice last year similar changes to BGP tables sent as much as 15 percent of all Internet traffic through China, on servers belonging to China Telecommunications.
A U.S. federal special commission on China concluded the re-routing was done purposely, probably to help China collect intelligence. The Chinese carriers involved denied the charge.
Facebook responded with a press release saying no Facebook traffic actually passed through China's geographic territory, leaving open the possibility it may have gone through a China Telecom-owned Chinanet server located in Europe or the U.S.
Facebook issued a statement that said:
We are investigating a situation today that resulted in a small amount of a single carrier's traffic to Facebook being misdirected. We are working with the carrier to determine the cause of this error.
Our initial checks of the latency of the requests indicate that no traffic passed through China.
Lyon told The Register that he identified the change in routing using AT&T's IP Services Route Monitor (telnet://route-server.ip.att.net).
Facebook is not famous for its ability to deliver secure communications. Still, having your status updates routed through one of the countries the head of all U.S. intelligence agencies considers a major cyberwar opponent probably isn't your idea of "social networking" either.
Since January, Facebook has offered SSL encryption as well as HTTPS protection for login data.
If you use AT&T and Facebook – or even just Facebook – it's probably not a bad idea to turn it on.